Legal claims defining the scope of protection, as filed with the USPTO.
1. A method, comprising: receiving, at a client device and from a server, an authorization to update a first Issuer Security Domain (ISD) encryption keyset at the server; generating, via a secure element on the client device, a second ISD keyset that is to be used to update the first ISD encryption keyset at the server; encrypting, via the secure element on the client device, the second ISD keyset with a server public key to yield an encrypted second ISD keyset; and sending the encrypted second ISD keyset to the server for updating the first ISD encryption keyset at the server with the second ISD keyset, wherein the second ISD keyset replaces the first ISD encryption keyset at the server, and the second ISD keyset is known only to the server and the secure element.
2. The method of claim 1 , wherein the secure element comprises at least one security domain, and the at least one security domain is one of an Issuer Security Domain, a Controlling Authority Security Domain,. and a Supplemental Security Domain.
3. The method of claim 2 , wherein the Issuer Security Domain is a top level security domain that manages at least one other domain.
4. The method of claim 3 , wherein the Issuer Security Domain manages at least one of card content, card life cycle and application life cycle.
5. The method of claim 1 , wherein the secure element is implemented according to Global Platform Card specifications, and the second ISD keyset is not based upon an encryption key received from a third party vendor.
6. The method of claim 1 , wherein the secure element stores at least one cryptographic key relating to a security domain.
7. The method of claim 6 , wherein access to a security domain is limited to processes having access to a cryptographic key for the security domain.
8. The method of claim 1 , wherein the secure element comprises a dedicated hardware component within the client device.
9. The method of claim 8 , wherein the server communicates with the secure element via the client device.
10. The method of claim 8 , wherein the authorization is issued during an initial activation of at least one of the client device and an application.
11. A method, comprising: sending, from a server to a client device, an authorization to update a first Issuer Security Domain (ISD) encryption keyset; receiving, at the server from the client device, an encrypted second ISD keyset, wherein a second ISD keyset is generated within a client-side secure element, and the second ISD keyset is encrypted within the client-side secure element to yield the encrypted second ISD keyset; and updating the first ISD encryption keyset at the server with the second ISD keyset, wherein the second ISD keyset replaces the first ISD encryption keyset, and the second ISD keyset is known only to the server and the client-side secure element.
12. The method of claim 11 , wherein the client-side secure element is implemented using Global Platform Card specifications, and the second ISD keyset is not based upon an encryption key received from a third party vendor.
13. The method of claim 11 , wherein the authorization is based on an Issuer Security Domain keyset initialization script generated at the server, and the initialization script is based on an existing encrypted Issuer Security Domain keyset.
14. The method of claim 13 , wherein the existing encrypted Issuer Security Domain keyset is decrypted at the server using a server private encryption key prior to sending the authorization.
15. The method of claim 11 , wherein the encrypted second ISD keyset is encrypted using a server public encryption key that corresponds to a server private encryption key.
16. A system, comprising: a processor; a memory configured to store computer executable instructions that, when executed by the processor, cause the system to: generate, at a vendor, an Issuer Security Domain (ISD) encryption keyset; send the ISD encryption keyset and a server public key to a secure element at a client device, wherein the secure element implements at least a portion of Global Platform Card specifications; encrypt, at the vendor, the ISD encryption keyset with the server public key to yield an encrypted ISD keyset; and send the encrypted ISD keyset to a server, wherein an existing ISD encryption keyset at the server is updated securely with a new ISD keyset generated by the secure element without the use of the vendor, and the new ISD keyset is known only to the secure element and the server.
17. The system of claim 16 , wherein the secure element comprises a dedicated hardware component within the client device.
18. The system of claim 17 , wherein the server services at least one secure element within the client device identified by a element identification component.
19. The system of claim 18 , wherein each secure element has a different ISD encryption keyset identified by the secure element identification component.
20. A non-transitory computer-readable storage medium configured to store instructions that, when executed by a client device, cause the client device to perform steps comprising: receiving, at the client device, an Issuer Security Domain (ISD) encryption keyset and a server public key, wherein the ISD encryption keyset is generated at a vendor, and the client device includes a secure element; storing the ISD encryption keyset and server public key at the client device; and generating, via the secure element, a new ISD keyset that is to be used to update an existing ISD keyset at a server, wherein the existing ISD keyset at the server is updated securely with the new ISD keyset without the use of the vendor, and the new ISD keyset is known only to the secure element and the server.
21. The non-transitory computer-readable storage medium of claim 20 , wherein the secure element has at least one security domain, and the at least one security domain is one of an Issuer Security Domain, a Controlling Authority Security Domain and a Supplemental Security Domain.
22. The non-transitory computer-readable storage medium of claim 20 , wherein the secure element comprises an embedded chip within the client device.
23. The non-transitory computer-readable storage medium of claim 20 , wherein the secure element is implemented according to Global Platform specifications.
24. The non-transitory computer-readable storage medium of claim 20 , wherein the ISD encryption keyset is generated as part of a pre-personalization stage.
25. A non-transitory computer-readable storage medium storing instructions that, when executed by a computing device, cause the computing device to perform steps comprising: generating, at a vendor, an Issuer Security Domain (ISD) encryption keyset; sending the ISD encryption keyset and a server public key to a secure element embedded within a client device; encrypting, at the vendor, the ISD encryption keyset with the server public key to yield an encrypted ISD keyset; and sending the encrypted ISD keyset to a server, wherein an existing ISD encryption keyset at the server is updated securely with a new ISD keyset generated by the secure element without the use of the vendor, and the new ISD keyset is known only to the secure element and the server.
26. The non-transitory computer-readable storage medium of claim 25 , wherein the secure element implements at least a portion of Global Platform Card specifications.
Unknown
November 10, 2015
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.